[SECURITY] [DLA 4170-1] intel-microcode security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4170-1] intel-microcode security update
From: Tobias Frost <tobi@debian.org>
Date: Sun, 18 May 2025 19:20:12 +0200
Message-id: <[🔎] aCoWzGPnmG1414g7@isildor2.loewenhoehle.ip>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4170-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
May 18, 2025                                  https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : intel-microcode
Version        : 3.20250512.1~deb11u1
CVE ID         : CVE-2024-28956 CVE-2024-43420 CVE-2024-45332 CVE-2025-20012 
                 CVE-2025-20054 CVE-2025-20103 CVE-2025-20623 CVE-2025-24495
Debian Bug     : 1105172

Microcode updates has been released for Intel(R) processors, addressing
multiple potential vulnerabilties that may allow denial of service or
information disclosure.

CVE-2024-28956

    Exposure of Sensitive Information in Shared Microarchitectural
    Structures during Transient Execution for some Intel(R) Processors
    may allow an authenticated user to potentially enable information
    disclosure via local access.

CVE-2024-43420

    Exposure of sensitive information caused by shared
    microarchitectural predictor state that influences transient
    execution for some Intel Atom(R) processors may allow an
    authenticated user to potentially enable information disclosure via
    local access.

CVE-2024-45332

    Exposure of sensitive information caused by shared
    microarchitectural predictor state that influences transient
    execution in the indirect branch predictors for some Intel(R)
    Processors may allow an authenticated user to potentially enable
    information disclosure via local access.

CVE-2025-20012

    Incorrect behavior order for some Intel(R) Core™ Ultra Processors
    may allow an unauthenticated user to potentially enable information
    disclosure via physical access.

CVE-2025-20054

    Uncaught exception in the core management mechanism for some
    Intel(R) Processors may allow an authenticated user to potentially
    enable denial of service via local access.

CVE-2025-20103

    Insufficient resource pool in the core management mechanism for some
    Intel(R) Processors may allow an authenticated user to potentially
    enable denial of service via local access.

CVE-2025-20623

    Exposure of sensitive information caused by shared
    microarchitectural predictor state that influences transient
    execution for some Intel(R) Core™ processors (10th Generation) may
    allow an authenticated user to potentially enable information
    disclosure via local access.

CVE-2025-24495

    Incorrect initialization of resource in the branch prediction unit
    for some Intel(R) Core™ Ultra Processors may allow an authenticated
    user to potentially enable information disclosure via local access.

For Debian 11 bullseye, these problems have been fixed in version
3.20250512.1~deb11u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 4169-1] dropbear security update
Next by Date: [SECURITY] [DLA 4167-1] thunderbird security update
Previous by thread: [SECURITY] [DLA 4169-1] dropbear security update
Next by thread: [SECURITY] [DLA 4167-1] thunderbird security update
Index(es):
- Date
- Thread